Donald C. Langevoort is Thomas Aquinas Reynolds Professor of Law at Georgetown Law School. This post is based on his recent article, forthcoming in the Temple Law Review, and is part of the Delaware law series; links to other posts in the series are available here.

In nearly all narratives of how compliance has grown as a legal subject and field of practice in the last two decades, the Delaware Chancery Court’s decision in In re Caremark plays a featured role. Chancellor Allen’s opinion predicted the abandonment of the Delaware Supreme Court’s older and heavily criticized approach in Graham v. Allis-Chalmers, which had limited the board of directors’ compliance oversight obligation to situations where red flags were waving in the board’s face. It said (though entirely in dicta) that the board had an affirmative obligation to assure itself in good faith that the corporation had a system of internal reporting and compliance controls to monitor for illegal activities. Since that time, compliance has grown in size, scope and stature at nearly all large corporations.

In a forthcoming article that is part of a Temple Law Review symposium marking Caremark’s two decade anniversary, I join the lively academic debate over whether Caremark’s causal impact on the unmistakable growth curve of compliance has been overstated. After all, the holding in the decision (approving a de minimis settlement) was that the standard for holding directors of Delaware corporations liable for monetary damages under a test requiring “sustained and systematic indifference” to compliance oversight would be exceedingly hard to prove. Plus federal law had already been trending strongly in the direction of a robust corporate compliance obligation in many disparate fields of regulation (e.g., antitrust, financial services, healthcare, defense contracting) and—as Caremark duly noted—the Organizational Sentencing Guidelines had made the presence and quality of compliance (including board oversight) a substantial factor in the size and severity of any federal penalty for criminal wrongdoing. Within a few years would come even bigger waves of pressure from Washington, via the emergence of deferred prosecution agreements, corporate charging decisions, and—for public companies—the mandates of the Sarbanes-Oxley Act, which required new board structures, internal control processes and whistleblower protections to address the risk of financial misreporting, which arises in the face of any material corporate wrongdoing.

Whatever its causality, Caremark no doubt did in its time focus the attention of elite corporate lawyers, who used their considerable influence inside the boardroom to grab the attention of directors and insist on more rigorous internal procedures. As has happened with other seminal “message” opinions, the lawyers probably trumpeted the dicta and subtly downplayed how tiny the remaining liability risk was in order to upgrade compliance (a legal function) as a corporate priority. Then, and even now to an extent, it was frustratingly hard to get officers and directors to devote the time, resources and attention necessary to manage legal risks.

But we need not obsess on history. Caremark is at the very least a label attached to what all now agree is a necessary and proper subject of attention for every board of directors: corporate compliance as a function within the broader task of enterprise risk management. In this brief commentary, I want to address some lingering issues that flow out of Caremark touching on the nature and design of compliance programs and the role of the board therein. None of this is meant to be critical of Chancellor Allen or his decision, but rather to identify ways in which what was said back then no longer suffices to address the contemporary milieu of aggressive compliance.

As many corporate governance scholars have come to accept, corporations are complex interactive systems of processes, routines and feedback, the efficacy of which cannot be taken for granted and hence becomes the crucial focus of the CEO and senior management team. The overwhelming complexity is daunting—perhaps beyond even the collective brainpower of the C-Suite to comprehend—yet can and must be managed to the extent possible. Like all enterprise risks, compliance risks emerge, move and change in ways not always visible within the architectural sight lines of the firm.

It is at least arguable that independent directors haven’t enough capacity to engage with this complexity, so that Caremark was wise to demand almost nothing beyond asking that some compliance system exists. Independent boards have limited time, attention and expertise, which should thus be deployed only where most useful. Yet government enforcers and standard-setters today insist on a much greater board role without necessarily defining how or why it will be constructive.

My commentary addresses three possibilities for greater board involvement—perceptible now, if not twenty years ago. The first is on the question of how much to invest in compliance. Caremark makes this a matter of business judgment, that thus presumably a matter of costs and benefits from a corporate or shareholder wealth perspective. But enforcers today (rightly) insist on greater investment not limited by that narrower framing. I consider how and why. Second, there is the matter (not raised in Caremark) of red flags—how to deal with warning signs, and when to escalate these to the board level. That is a matter of great sensitivity, and no set of best practices. Third and finally, there is the recognition, today at least, that simply having a plan of oversight and surveillance is probably inadequate to discharge board-level monitoring—the “cultural turn” in compliance demands much more than just the right “tone from the top.”